In September 2015, several sources (such as the Wall Street Journal) reported that Google was claiming 1.4 billion active users of Android, and that 1 billion people had used the Play store in a recent 30-day period. I haven’t seen more recent figures, but I’m sure they haven’t been diminishing. While this is all very good news for Google – perhaps less so when we it’s something to bear in mind when browsing Google’s report Android Security 2015 Year In Review.
While describing Google’s ongoing improvements to Android security, the report also mentions that ‘…successful exploitation of vulnerabilities on Android devices continued to be extremely rare during 2015…’ Which is good to know, but it would be nice to see that quantified. That sentence is placed next to some observations on ‘Potentially Harmful Applications’ (PHAs), but how much malware is focused on OS or application vulnerabilities rather than social engineering? I don’t have information specific to Android that would enable me to answer that authoritatively, but I’d expect it to be fairly small.
Android 6 (Marshmallow) benefits from a wide range of security measures. However, the report indicates that nearly 30% of active Android devices are still on an OS version earlier than 4.4.4 (KitKat), and that suggests well over 400 million devices Google doesn’t support with patches.
Patches are supplied to manufacturers and (since August 5th 2015) to the Android Open Source Project, but that doesn’t, of course, mean that all those updates find their way to all consumers’ devices. However, the report says that device manufacturers are beginning to document their commitment to updating. (There’s also an issue with an undetermined number of devices that don’t use the official licensed OS version.)
Google does pick up on a point recently made by Dino Dai Zovi at Black Hat Asia. According to The Register, he observed that ‘“The ecosystem is such that it makes exploitation more difficult because it needs to be designed for [each device]” which it translates into ‘Over time, we’ve come to recognize that the diversity of devices is a security strength unique to the Android ecosystem…Android’s varied ecosystem (with over 60,000 different device models) provides a naturally occurring defense against simple widespread exploitation…’ There’s some truth in that, of course, but I think its importance can be overstated.
On the topic of PHAs, the percentages are reassuringly small as stated by Google.
On average, less than 0.5% of devices had a PHA installed during 2015 and devices that only installed applications from Google Play averaged less than 0.15%.
I must confess to being slightly confused as to what ‘average’ is being estimated here. In any case, in the context of the huge Android user-base, what Google regards as a small percentage may seen as quite impressive. At any rate, by my reckoning that makes about 7,000,000 devices with a PHA, and I don’t think that’s trivial. Unfortunately, if there’s a number given for devices that installed only from Google Play, I missed it, so I don’t know what 0.15% is in ‘actual’ figures. But it makes sense, given the resources Google devotes to verifying apps available through Play, that the percentage would be smaller than for devices that install apps from other sources.
Still, in his introductory blog, Andrew Ludwig says:
One important goal of releasing this report is to drive an informed conversation about Android security. We hope to accomplish this by providing more information about what we are doing, and what we see happening in the ecosystem.
There are lots of positives in this report. And that really is a worthy aim.